Data Processing Addendum (GDPR Art. 28)

Last updated: Jan 6th, 2026

This DPA is incorporated into the SquadraOne Terms & Conditions (the “Agreement”).

Processor: Squadra SAS (France), RCS/registration number 933 235 087 (“Squadra”)

Controller: the Customer/User under the Agreement (“Customer”)

1. Scope

This DPA applies where Squadra processes Personal Data contained in Customer Data as Processor on behalf of Customer in providing the Services.

Where Squadra processes Personal Data as Controller (e.g., account administration, billing, platform security logs, product analytics), that processing is governed by the Privacy Policy and not this DPA.

2. Definitions

Capitalized terms not defined here have the meaning in the Agreement.

  • Customer Data: data submitted to or processed via the Services on Customer’s behalf, including via Integrations.
  • Personal Data / Processing / Controller / Processor: as defined in GDPR.
  • Subprocessor: a third party engaged by Squadra to process Customer Data.

3. Roles

  • Customer is Controller of Personal Data in Customer Data.
  • Squadra is Processor of such Personal Data.

4. Processing details (Art. 28(3))

The processing is described in Annex 1.

5. Processor obligations

Squadra shall:

5.1 Process only on documented instructions

Process Personal Data only on documented instructions from Customer, including instructions given through Customer’s use and configuration of the Services, unless required by applicable law (in which case Squadra will inform Customer unless legally prohibited).

5.2 Confidentiality

Ensure persons authorized to process Personal Data are bound by confidentiality obligations.

5.3 Security (Art. 32)

Implement appropriate technical and organizational measures (TOMs) as set out in Annex 2.

5.4 Subprocessors (Art. 28(2) & (4))

Customer grants Squadra a general authorization to engage Subprocessors.

  • Current Subprocessors are listed in Annex 3.
  • Squadra will impose obligations on Subprocessors no less protective than this DPA.
  • Squadra remains responsible for Subprocessor compliance.

Subprocessor updates. Squadra will provide prior notice of intended changes to Subprocessors (e.g., via email or in-app notice, and/or by updating a published subprocessor list). Customer may object on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may terminate the affected Services.

5.5 Assistance

Squadra will provide reasonable assistance (taking into account the nature of processing) to help Customer meet obligations regarding:

  • data subject requests (Arts. 15–22),
  • breach notifications (Arts. 33–34),
  • DPIAs and consultations (Arts. 35–36),
  • to the extent Customer cannot do so using the Services.

Squadra may charge reasonable fees for excessive or repetitive requests.

5.6 Breach notification

Squadra will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data and provide reasonably available details.

5.7 Deletion / return

Upon termination, Squadra will delete or anonymize Personal Data in Customer Data within the deletion/retention timeframe in the Agreement (currently up to 90 days), unless retention is required by law. Where feasible, Squadra may return Customer Data upon request.

5.8 Audits

Customer may audit Squadra’s compliance:

  • at most once per year (unless a material incident occurs),
  • with reasonable notice,
  • subject to confidentiality and security constraints.

Squadra may satisfy audits via documentation, security summaries, and limited inspection where appropriate.

6. International transfers

Some Subprocessors (including LLM providers) may process data outside the EEA/UK. Where required, Squadra will ensure appropriate safeguards (e.g., SCCs, adequacy decisions, or other lawful mechanisms).

7. Precedence

If this DPA conflicts with the Agreement regarding processor obligations, this DPA prevails to that extent.

Annex 1 — Processing details (Art. 28(3))

A. Subject-matter

Provision of an AI-agent SaaS service including Integrations, creation/modification of content in connected tools, generation of Outputs, and related support and security operations.

B. Duration

For the term of the Agreement plus the retention period (currently up to 90 days after termination), unless longer retention is required by law.

C. Nature of processing

Accessing, storing, organizing, transforming, and generating Outputs from Customer Data as instructed through Customer’s use of the Services, including reading/writing/modifying content in connected tools.

D. Purpose

To provide and operate the Services, including debugging, security, platform integrity, and improvement of prompts/workflows and service quality.

E. Categories of data subjects

Depending on Customer usage:

  • Customer (User), their contractors and collaborators;
  • Customer’s clients, prospects, suppliers, contacts;
  • individuals referenced in Customer’s calendar events, documents, CRM-like notes, or content.

F. Categories of personal data

May include:

  • names, emails, phone numbers, profile data;
  • calendar event titles, descriptions, participants;
  • content stored in Notion pages/workspaces (notes, documents, CRM-like entries);
  • drafts for messages and publications;
  • logs of agent actions within Customer workspaces.

Important note (LLM inference): Customer acknowledges that when the Services call third-party LLM providers, prompt/context may include Customer Data and may include Personal Data, and no minimization/redaction is performed by default.

Annex 2 — Security measures (TOMs)

Squadra maintains measures appropriate to risk, including:

  1. Hosting / region
  • Production hosted on Google Cloud Platform (GCP) in region europe-west9 (Paris) for core workloads, subject to the configuration of specific services and vendor constraints.
  1. Access controls
  • Production access restricted to authorized Squadra personnel (currently the internal development team).
  • Role-based permissions and least-privilege principles.
  1. Authentication
  • Strong authentication for infrastructure/admin consoles (including MFA where available).
  1. Secrets and tokens
  • OAuth tokens and credentials are stored using industry-standard safeguards and access controls.
  • Access to secrets is restricted and audited.
  1. Encryption
  • Encryption in transit (TLS) for network communications.
  • Encryption at rest is used where supported/appropriate by the underlying managed services.
  1. Logging & monitoring
  • Logging of key system events and administrative access.
  • Monitoring for abuse and anomalous behavior (proportionate to stage).
  1. Backups / recovery
  • Backups for critical systems (e.g., managed database) with reasonable restoration capability.
  1. Incident response
  • Documented incident response process, including breach escalation and customer notification without undue delay.
  1. Contractors
  • As of the effective date, no contractors have production access.
  • If contractors are engaged in the future, access (if needed) will be time-bound to the mission and subject to confidentiality and appropriate controls.

Annex 3 — Subprocessors

See Subprocessor List at:

Subprocessors